Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Avoid hardcoded internet gateway certificate #726

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore: Avoid hardcoded internet gateway certificate #726

wants to merge 1 commit into from

Conversation

sdsantos
Copy link
Collaborator

@sdsantos sdsantos commented Jan 4, 2024

Closes #556

Unless I'm mistaken, we don't need to even a self-issued Internet Gateway certificate, we only need our local self-issued certificate.

I tried a simple approach:

  • returning nulls while we don't have the Internet Gateway certificate and ID
  • Skip operations that need the Internet Gateway certificate and ID with relevant logging

I haven't changed the UI/UX to show something while the Gateway is not registered. That would need maybe a new illustration? Or at least new copy for the home screen. Should that be a another task?

gnarea
gnarea requested changes Jan 11, 2024
View reviewed changes
Copy link
Member

@gnarea gnarea left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bulk of the change appears to be handling the case where the id or public key of the Internet gateway is missing. However, unless I'm missing something, that's different from #556 (i.e., the private gateway's certificate is missing).

Having said this, I forgot to update #556 with an important detail: whist we should indeed remove public_gateway_cert.der, we should replace it with the connection parameters of frankfurt.relaycorp.tech just like we do in Awala Ping. This NodeConnectionParams instance will contain the internetAddress (frankfurt.relaycorp.tech) and publicKey of the Internet gateway -- meaning that we can populate the InternetGatewayPreferences with those details as soon as the app starts for the first time.

Unfortunately, the current version of the Awala Internet Gateway doesn't yet expose this file like the Awala Pong server does, but I'll implement it today or tomorrow. I'll ping you once I've done that.

As for #556, the goal is to properly handle the scenario where we haven't yet got an identity certificate issued by our Internet gateway (the one we get after successfully registering with the Internet gateway).

The problem we have today is that we're faking it with a self-issued certificate that has no validity on the network. For example, when an app registers an endpoint before we have a valid identity certificate, we generate a self-issued certificate so that we can subsequently issue a certificate for the endpoint -- instead, we should block the registration of the endpoint (with the "gateway not ready" approach we have today for other things, but I couldn't find the respective code to link to it).

@sdsantos
Copy link
Collaborator Author

@gnarea But we're already handling endpoint registration when the gateway is not registered yet:

relaynet-gateway-android/app/src/main/java/tech/relaycorp/gateway/background/endpoint/EndpointPreRegistrationService.kt

Lines 67 to 70 in 82afd23

internetGatewayPreferences.getRegistrationState() != RegistrationState.Done -> {
logger.log(Level.WARNING, "Gateway not ready for registration")
Message.obtain(null, GATEWAY_NOT_REGISTERED)
}

Maybe that's what threw me off track in the task?

@gnarea gnarea mentioned this pull request Jan 16, 2024
Merged
kodiakhq bot pushed a commit to relaycorp/awala-gateway-internet that referenced this pull request Jan 18, 2024
@gnarea
feat: Expose connection params (#1139)
2c852a5 
Needed in relaycorp/relaynet-gateway-android#726
@gnarea
Copy link
Member

gnarea commented Jan 18, 2024

Hi @sdsantos 👋🏾

Good catch. I think the issue is partly out of date then: we're no longer using any self-issued certificate that should be removed. Whilst we're indeed handling the case the scenario where the private gateway has never registered, we're not handling the case where its certificate expired (getRegistrationState() only seems to consider whether we ever registered). Obviously, the latter isn't actually a self-issued certificate, it's just expired, but it's invalid too.

On the other hand, implementing the connection params took a lot longer than I anticipate but it's now available in the new environment that replaces Frankfurt: belgium.relaycorp.services (#728). Its connection parameters file can be downloaded from:

https://belgium-poweb.relaycorp.services/connection-params.der

So we basically have to:

  • Refuse endpoint pre-registrations with a GATEWAY_NOT_REGISTERED message when the private gateway's certificate has expired.
  • Replace the hard-coded Internet gateway certificate with the connection params file above.

Please let me know if you have any questions!

@sdsantos sdsantos mentioned this pull request Feb 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnarea gnarea gnarea requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improvement: alternative to Identity Certificate falling back to self-issued certificate
2 participants
@sdsantos @gnarea